Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Adobe Tightens Development Process to Improve Security

After having three known zero-day bugs hit the Web so far in 2009, Adobe Systems is starting to talk security. Since February, Adobe has been making changes to its software development process and is planning to begin issuing quarterly updates starting this summer.

WEBINAR:On-Demand

In February, news that Adobe Reader and Acrobat were vulnerable to a zero-day attack became public; in April, two other bugs surfaced. All three were eventually patched, but not before proof-of-concept exploit code for each bug began to circle. In the case of the flaw publicized in February, hackers feasted on the bug for at least two months before a fix was issued-and the initial patch didn't cover every version of the programs.

Since then, Adobe said, it has been changing its development process to improve software security. The project has been focused on three main areas: hardening the code, improving the incident response process and putting together a plan for issuing quarterly updates for Reader and Acrobat.

"We have for years now been following our secure product life cycle, which defines how we integrate security into the regular way that we build software at Adobe," said Brad Arkin, Adobe's director for product security and privacy. "For most of the projects, and particularly for Reader and Acrobat, our secure product life-cycle activities have mainly been focused on the new code and the new features that we're writing, and it hasn't fully addressed the potential security problems in the legacy code and features."

Further reading

The idea basically extends best practices such as threat modeling and testing throughout the entire development process.

"All of these activities are helping us to identify potential problems so that we can then resolve them before a malware author or another malicious actor might find them," Arkin added.

Arkin admitted that some vulnerabilities are inevitably going to appear, which is where the updates come in. Starting in summer 2009, Adobe will issue quarterly patches to deal with any security issues. Though the company is still hammering out the exact timeline, the general plan is for the releases to coincide with Microsoft's Patch Tuesday.

"What we heard from our customers is that offering the updates on the same day will help align with the way our customers today are applying patches," Arkin said.

Statistics from Qualys released in April showed that many Acrobat and Reader users were behind in their patches, even as news of a zero-day continued to circulate. Perhaps it is unsurprising then that hackers often use exploits targeting Reader and Adobe Flash as a way in.

"This is something that we're talking publicly about now even though we've been working on it since February, and in the months to come we're going to continue talking about further details and new ideas that we have for how we can better improve the security for Reader and Acrobat and make the product even more safe to use for our customers," Arkin said.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.